Abstract:
Control Flow Integrity is a principled approach for defending against control hijacking attacks. Previous approaches have been limited by the complexity of static analysis, and are overly permissive. CCFI is the first use of the cryptographic hardware present in modern processors to implement a CFI system. A CCFI enabled compiler inserts code to generate MACs and verify a hash of critical pointers.

To appear at:
CCS 2015

October 07, 2015Provisions: Privacy-PreservingProofs of Solvency for Bitcoin Exchanges

Speaker:
Joe Bonneau

Abstract:
Bitcoin exchanges function like banks, securely holding customers' bitcoins on their behalf. Several exchanges have suffered catastrophic losses with customers permanently losing their savings. A proof of solvency demonstrates cryptographically that the exchange controls sufficient reserves to settle each customer's account. This talk will describe Provisions, a privacy-preserving proof of solvency whereby an exchange does not have to disclose its Bitcoin addresses; total holdings or liabilities; or any information about its customers. Provisions can be extended to prevent exchanges from colluding to cover for each other's losses, as well as to enable features such as proving a positive surplus or enabling fractional-reserve banking. Provisions offers practical computation times and proof sizes even for a large Bitcoin exchange with millions of customers.

October 14, 2015Efficient RAM and Control Flow in Verifiable Outsourced Computation

Speaker:
Riad Wahby

Abstract:
Recent work on proof-based verifiable computation has resulted in built systems that employ tools from complexity theory and cryptography to address a basic problem in systems security: allowing a local computer to outsource the execution of a program while providing the local computer with a guarantee of integrity and the remote computer with a guarantee of privacy. However, support for programs that use RAM and control flow has been problematic. State of the art systems either restrict the use of these constructs (e.g., requiring static loop bounds), incur sizeable overhead on every step, or pay tremendous costs when the constructs are invoked.

This paper describes Buffet, a built system that solves these problems by providing inexpensive "a la carte" RAM and dynamic control flow. Buffet composes an elegant prior approach to RAM with a novel adaptation of techniques from the compilers literature. Buffet allows the programmer to express programs in an expansive subset of C (disallowing only "goto" and function pointers), can handle essentially any example in the verifiable computation literature, and achieves the best performance in the area by multiple orders of magnitude.

Abstract:
External kernel code, namely kernel modules and device drivers, has historically led to the majority of security and reliability issues in operating systems. Kernel modules account for more than 80% of all vulnerabilities, and over 90% of all critical vulnerabilities, in the Linux kernel. Similarly, 70% of Windows XP crashes are caused by drivers. Many of these issues arise from the inherent complexity of device drivers which are often tasked with interacting with low-level, error-prone interfaces. As such, correctness faults in drivers are also far too common. 7x more errors occur in Linux drivers than in the kernel. In Windows XP, drivers account for 85% of code errors.

We propose a language-based solution that ameliorates all of these issues. Our solution exploits properties of programming languages, namely affine and uniqueness types, to enable safe, correct, and performant kernel modules. When provided with a device's specification, we exploit uniqueness types to provide functional correctness guarantees at hardware and software interface boundaries. This same approach also guarantees the integrity of the system in the face of malicious or buggy drivers. The effective cost of the solution is minimal, only imposing that drivers and interfaces are written in such a language and with a particular structure.

Joint work with:
Alejandro Russo (Chalmers)

October 28, 2015Cracking Wi-Fi Passwords with CUDA

Speaker:
Sunjay Dhama (Stanford ISO)

Abstract:
I will be presenting my work on a practical implementation to cracking Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) passwords with Compute Unified Device Architecture (CUDA). My tool does this by incorporating a password database that allows an attacker to easily store their word list in a database, which the cracking nodes query. I will briefly discuss WPA, CUDA, and AWS. Then I will describe work that has already been done. Next I will describe my implementation of the attack and how it differs from existing tools. Finally, I will discuss countermeasures to help mitigate it. If there is time at the end I would like to demo my tool, which can be found here.

November 04, 2015Bringing Elliptic Curve Cryptography into the Mainstream

Speaker:
Nick Sullivan (CloudFlare)

Abstract:
In this talk I will describe how CloudFlare helped take elliptic curve cryptography from a promising technology with low adoption to core part of the HTTPS revolution.

Two years ago, almost every public key used on the web for HTTPS was an RSA key. In 2013, the zmap team from University of Michigan scanned the entire web and found fewer than twenty non-RSA certificates. Over the next two years, CloudFlare took that number into the millions with the Universal SSL project. We'll describe how using ECDSA (Elliptic Curve Digital Signature Algorithm) keys instead of RSA keys played a crucial role in enabling this project. With Universal SSL, any website can become HTTPS-enabled for free.

Elliptic curve cryptography is not just useful for HTTPS, there are other protocols for which it provides an advantage over RSA. One of these is DNSSEC, the algorithm that lets administrators digitally sign DNS records for authenticity. DNSSEC been described as difficult deploy and dangerous because of the potential to abuse it in amplification/reflection attacks. In October 2015, CloudFlare launched its automated DNSSEC beta program. We’ll describe some of the tweaks we made to easily scale DNSSEC to millions of zones and how ECDSA keys helped solve some of the protocol’s major issues.

November 11, 2015Rescheduled to THURSDAY

November 12, 2015The Privacy Properties of Telephone Metadata

Note:We are meeting on THURSDAY this week in Gates 104.

Speaker:
Patrick Mutchler

Abstract:
Since 2013, a stream of disclosures have prompted reconsideration of surveillance law and policy. One of the most controversial principles, both in the United States and abroad, is that communications metadata receives substantially less protection than communications content. Several nations currently collect telephone metadata in bulk, including on their own citizens. In this work, we attempt to shed light on the privacy properties of telephone metadata. Using a novel crowdsourcing methodology, we demonstrate that telephone metadata is densely interconnected, can trivially be re-identified, and can be used to draw sensitive inferences.

November 18, 2015Auditing the Internet of Things: How to Monitor What Our Own Devices are Saying About Us

Speaker:
Judson Wilson

Abstract:
Today, Internet of Things devices communicate confidentially with their manufacturer’s cloud services. The owner must trust that the device is not saying too much, or more than the manufacturer claims. We propose that consumers have the right and ability to audit what their own things are saying about them: they should be able to monitor their devices with a read only auditor that preserves end to end authenticity and integrity of communication with the cloud. We propose a system that utilizes traditional TLS in a new way to enable auditing-devices with these properties.

November 25, 2015No Meeting: Thanksgiving Break

December 02, 2015Password Hashing, Space-Hardness, and the Balloon Functions

Speaker:
Henry Corrigan-Gibbs

Abstract:
As data breaches occur with alarming frequency (U.S. companies have reported 169 major breaches already in 2015), prudent systems administrators take steps to limit the fallout from such breaches before they occur. One important technique for doing so is to store user passwords under a strong password hashing function. Password hashing increases the cost of offline dictionary attacks against stolen password files and account records and thus provides some protection even after a breach takes place. In the first part of this talk, I will introduce the problem of password hashing and will explain the reasons to prefer space-hard password hashing functions over conventional cryptographic hashes. In the second part, I will discuss ongoing work on the design and analysis of the Balloon hash functions, a new family of space-hard hash functions that are fast enough for real-world use and yet exhibit very strong space-hardness properties. The Balloon hash algorithms are surprisingly easy to describe but arguing formally about their security properties presents a number of technical challenges.

Abstract:
In many scenarios, a central party wants to collect reports from endpoints, and is interested in an aggregate result, such as a total sum or an average of data samples, rather than individual values themselves. We present a protocol for delivering reports from endpoints to a central authority in a privacy-preserving manner. Unlike methods based on randomized reports or differential privacy, the protocol we propose is suitable for collecting reports about rare occurrences that would otherwise be masked by the added noise. This paper discusses several possible approaches to this problem, points out their advantages and limitations, presents our protocol for the case of computing an average over tens of millions of reported values, and describes its security properties in light of the threat model.